Howard Chu wrote: > Michael Ströder wrote: >> But userCertificate has certificateExactMatch (2.5.13.34) defined as >> equality matching rule. This is *not* the octetStringMatch (2.5.13.17) >> matching rule. > > It is legal to use an octet string for certificateExactMatch. In > OpenLDAP the octet string is simply parsed and turned into a certificate > assertion value and then matched as usual.
It does not work for me with 2.4.22. It's a cert which was downloaded from the directory. In syslog the following filter is logged: (?userCertificate;binary=0\82\05M0\82\045\A0\...) The filter string seems right to me. It's a cert which was downloaded from one directory entry. But not results returned. >> Searching certs with octetStringMatch will obviously not perform well >> though. I'd recommend to think about another method. > > Probably the encoding of his filter value is just wrong. And of course, > it would be simpler to just use a certificate assertion value instead. Performance would be bad anyway. The approach to map certs to user entries by searching for the whole cert is flawed. Ciao, Michael.
